Help, I'm being attacked!
#1
Scooby Regular
Thread Starter
Join Date: Apr 2003
Location: Location: Location:
Posts: 1,097
Likes: 0
Received 0 Likes
on
0 Posts
Help, I'm being attacked!
Hello boffins,
For some reason, a file keeps getting copied / installed to this location on my Win2000 machine.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe
It also finds its way into the registry under HKLM/blah blah/RUN_ONCE under the value name sys1612188 and command line
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe
Microsoft's antispyware blocks this registry key, but it also appears in HKEY_CURRENT_USER and runs! It can be stopped using the task manager. I've looked in the file using a hex editor, it's only 8k but there's a print, SOCK, RasEnum and MSVCRT.dll all mentioned in there.
When it runs, there is initial network activity, and it seems to start up ntvdm.dll (and wowexec.dll).
NAV is up to date and shows everything is clean.
Any thoughts? The only thing I installed recently was a shareware/demo version of a winRAR unzipper. It has since been uninstalled.
For some reason, a file keeps getting copied / installed to this location on my Win2000 machine.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe
It also finds its way into the registry under HKLM/blah blah/RUN_ONCE under the value name sys1612188 and command line
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe
Microsoft's antispyware blocks this registry key, but it also appears in HKEY_CURRENT_USER and runs! It can be stopped using the task manager. I've looked in the file using a hex editor, it's only 8k but there's a print, SOCK, RasEnum and MSVCRT.dll all mentioned in there.
When it runs, there is initial network activity, and it seems to start up ntvdm.dll (and wowexec.dll).
NAV is up to date and shows everything is clean.
Any thoughts? The only thing I installed recently was a shareware/demo version of a winRAR unzipper. It has since been uninstalled.
#2
Scooby Senior
iTrader: (2)
Join Date: Jan 2004
Location: England
Posts: 18,358
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Jiggerypokery
Hello boffins,
For some reason, a file keeps getting copied / installed to this location on my Win2000 machine.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe
When it runs, there is initial network activity, and it seems to start up ntvdm.dll (and wowexec.dll).
For some reason, a file keeps getting copied / installed to this location on my Win2000 machine.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\683e8586.exe
When it runs, there is initial network activity, and it seems to start up ntvdm.dll (and wowexec.dll).
Have you tried to "roll back"?
#3
Scooby Senior
iTrader: (2)
Join Date: Jan 2004
Location: England
Posts: 18,358
Likes: 0
Received 0 Likes
on
0 Posts
Actually it looks worse than I thought....
The mere mention of RasEnum and MSVCRT.dll scream out to me that you have a virus infection. The .dll is a visual basic entry and rasenum collects data from your address book. Hhhhmmmmm.
Opened any strange emails about Anna Kournikova recently?
I just don't get why your AV program doesn't pick up on it.
The mere mention of RasEnum and MSVCRT.dll scream out to me that you have a virus infection. The .dll is a visual basic entry and rasenum collects data from your address book. Hhhhmmmmm.
Opened any strange emails about Anna Kournikova recently?
I just don't get why your AV program doesn't pick up on it.
#4
Scooby Regular
Thread Starter
Join Date: Apr 2003
Location: Location: Location:
Posts: 1,097
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Milamber
Actually it looks worse than I thought....
The mere mention of RasEnum and MSVCRT.dll scream out to me that you have a virus infection. The .dll is a visual basic entry and rasenum collects data from your address book. Hhhhmmmmm.
Opened any strange emails about Anna Kournikova recently?
I just don't get why your AV program doesn't pick up on it.
The mere mention of RasEnum and MSVCRT.dll scream out to me that you have a virus infection. The .dll is a visual basic entry and rasenum collects data from your address book. Hhhhmmmmm.
Opened any strange emails about Anna Kournikova recently?
I just don't get why your AV program doesn't pick up on it.
I might try copying the file to another machine with WinXP and McAfee to see if it picks it up.
I'm also running ad-aware which shows nothing out of the ordinary.
#7
Scooby Regular
Thread Starter
Join Date: Apr 2003
Location: Location: Location:
Posts: 1,097
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by JackClark
Go here www.webimmune.net and submit the file.
Will they get back to me, or is it a black hole?
Trending Topics
#9
Scooby Regular
Thread Starter
Join Date: Apr 2003
Location: Location: Location:
Posts: 1,097
Likes: 0
Received 0 Likes
on
0 Posts
Hello Jack,
I received an update for McAfee in the form of a dat file, which detects this file, but, I can't use McAfee on my main machine as it interferes with another program which needs to access a remote network.
Sygate firewall tells me the file is trying to access www.google.com (216.239.59.104) using remote port 80.
Any thoughts on why it would want to do this? Thanks.
I received an update for McAfee in the form of a dat file, which detects this file, but, I can't use McAfee on my main machine as it interferes with another program which needs to access a remote network.
Sygate firewall tells me the file is trying to access www.google.com (216.239.59.104) using remote port 80.
Any thoughts on why it would want to do this? Thanks.
#10
Originally Posted by Jiggerypokery
Hello Jack,
I received an update for McAfee in the form of a dat file, which detects this file, but, I can't use McAfee on my main machine as it interferes with another program which needs to access a remote network.
Sygate firewall tells me the file is trying to access www.google.com (216.239.59.104) using remote port 80.
Any thoughts on why it would want to do this? Thanks.
I received an update for McAfee in the form of a dat file, which detects this file, but, I can't use McAfee on my main machine as it interferes with another program which needs to access a remote network.
Sygate firewall tells me the file is trying to access www.google.com (216.239.59.104) using remote port 80.
Any thoughts on why it would want to do this? Thanks.
Thread
Thread Starter
Forum
Replies
Last Post
jayallen
Was it you?
4
19 September 2015 07:42 PM